From: Paul Moore <paul.moore@hp.com>
To: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Cc: netdev@vger.kernel.org, selinux@tycho.nsa.gov, eparis@redhat.com,
jmorris@namei.org, sds@tycho.nsa.gov
Subject: Re: [PATCH v4 1/2] NetLabel: secid reconciliation support
Date: Wed, 04 Oct 2006 15:52:40 -0400 [thread overview]
Message-ID: <45241108.5040303@hp.com> (raw)
In-Reply-To: <36282A1733C57546BE392885C0618592015CF961@chaos.tcs.tcs-sec.com>
Venkat Yekkirala wrote:
>>>>* XFRM present
>>>>
>>>> xfrm_sid = <full context from xfrm>
>>>> loc_sid = SECINITSID_NETMSG
>>>> nlbl_sid = SECSID_NULL/0
>>>> ext_sid = xfrm_sid
>>>> final skb->secmark = avc_ok : ext_sid ? unchanged
>
> Actually, I meant to cite the following instead of the above:
>
> * Nothing
>
> xfrm_sid = SECSID_NULL/0
> loc_sid = SECSID_NULL/0
> nlbl_sid = SECSID_NULL/0
> ext_sid = xfrm_sid
> final skb->secmark = avc_ok : ext_sid ? unchanged
Okay, thanks, I think I understand your point now. Let me try to
restate just to make sure.
Take two cases: the first being no labeling at all, the second being
only NetLabel ...
* Nothing
xfrm_sid = SECSID_NULL/0
loc_sid = SECSID_NULL/0
nlbl_sid = SECSID_NULL/0
ext_sid = xfrm_sid
final skb->secmark = avc_ok : ext_sid ? unchanged
* NetLabel
xfrm_sid = SECSID_NULL/0
loc_sid = SECSID_NULL/0
nlbl_sid = <SECINITSID_NETMSG te ctx, netlabel mls ctx>
ext_sid = nlbl_sid
final skb->secmark = avc_ok : ext_sid ? unchanged
In the "Nothing" case the final skb->secmark is set to SECSID_NULL/0;
getpeercon() should return an error. In the "NetLabel" case the final
skb->secmark is set using the TE portions of SECINITSID_NETMSG and the
MLS label of the NetLabel packet; getpeercon() will succeed.
I understand in the "NetLabel" case above you think the TE portion of
the final skb->secmark value should come from
SECSID_NULL/SECINITSID_UNLABELED/0, but do you also want getpeercon() to
return an error in the "NetLabel" case? I think that's a bad idea as it
will made it *extremely* difficult for applications to determine the MLS
label of a connection using NetLabel.
>>>>* NetLabel present
>>>>
>>>> xfrm_sid = SECSID_NULL/0
>>>> loc_sid = SECSID_NULL/0
>>>> nlbl_sid = <SECINITSID_NETMSG te ctx, netlabel mls ctx>
>>>> ext_sid = nlbl_sid
>>>> final skb->secmark = avc_ok : ext_sid ? unchanged
>>>
>>>I was referring to the differences in what getpeercon would
>>>return in the above 2 scenarios.
>>>
>>>In the xfrm case: final skb->secmark would be 0
>>
>>resulting in getpeercon
>>
>>>to return EPROTONOOPT
>>
>>In the "XFRM present" case above if the access is allowed (avc_ok is
>>true) then the final skb->secmark value is going to be set to
>>the value
>>of ext_sid which is the xfrm_sid. Any calls made to
>>getpeercon() would
>>return success with the context matching xfrm_sid.
>
>
> You are right, but I was actually referring to the "Nothing"
> case above.
>
>
>>I have a hunch we are still on different pages here ...
>>
>>
>>>In the NetLabel case: final skb->secmark would be network_t
>>
>>resulting in
>>
>>>getpeercon to return network_t
>>
>>Yep, and I understand you would like to see it as
>>unlabeled_t. I think
>>we both have valid arguments for either case and we are just
>>waiting to
>>hear from others.
>>
>>--
>>paul moore
>>linux security @ hp
>>
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul.moore@hp.com>
To: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Cc: netdev@vger.kernel.org, selinux@tycho.nsa.gov, eparis@redhat.com,
jmorris@namei.org, sds@tycho.nsa.gov
Subject: Re: [PATCH v4 1/2] NetLabel: secid reconciliation support
Date: Wed, 04 Oct 2006 15:52:40 -0400 [thread overview]
Message-ID: <45241108.5040303@hp.com> (raw)
In-Reply-To: <36282A1733C57546BE392885C0618592015CF961@chaos.tcs.tcs-sec.com>
Venkat Yekkirala wrote:
>>>>* XFRM present
>>>>
>>>> xfrm_sid = <full context from xfrm>
>>>> loc_sid = SECINITSID_NETMSG
>>>> nlbl_sid = SECSID_NULL/0
>>>> ext_sid = xfrm_sid
>>>> final skb->secmark = avc_ok : ext_sid ? unchanged
>
> Actually, I meant to cite the following instead of the above:
>
> * Nothing
>
> xfrm_sid = SECSID_NULL/0
> loc_sid = SECSID_NULL/0
> nlbl_sid = SECSID_NULL/0
> ext_sid = xfrm_sid
> final skb->secmark = avc_ok : ext_sid ? unchanged
Okay, thanks, I think I understand your point now. Let me try to
restate just to make sure.
Take two cases: the first being no labeling at all, the second being
only NetLabel ...
* Nothing
xfrm_sid = SECSID_NULL/0
loc_sid = SECSID_NULL/0
nlbl_sid = SECSID_NULL/0
ext_sid = xfrm_sid
final skb->secmark = avc_ok : ext_sid ? unchanged
* NetLabel
xfrm_sid = SECSID_NULL/0
loc_sid = SECSID_NULL/0
nlbl_sid = <SECINITSID_NETMSG te ctx, netlabel mls ctx>
ext_sid = nlbl_sid
final skb->secmark = avc_ok : ext_sid ? unchanged
In the "Nothing" case the final skb->secmark is set to SECSID_NULL/0;
getpeercon() should return an error. In the "NetLabel" case the final
skb->secmark is set using the TE portions of SECINITSID_NETMSG and the
MLS label of the NetLabel packet; getpeercon() will succeed.
I understand in the "NetLabel" case above you think the TE portion of
the final skb->secmark value should come from
SECSID_NULL/SECINITSID_UNLABELED/0, but do you also want getpeercon() to
return an error in the "NetLabel" case? I think that's a bad idea as it
will made it *extremely* difficult for applications to determine the MLS
label of a connection using NetLabel.
>>>>* NetLabel present
>>>>
>>>> xfrm_sid = SECSID_NULL/0
>>>> loc_sid = SECSID_NULL/0
>>>> nlbl_sid = <SECINITSID_NETMSG te ctx, netlabel mls ctx>
>>>> ext_sid = nlbl_sid
>>>> final skb->secmark = avc_ok : ext_sid ? unchanged
>>>
>>>I was referring to the differences in what getpeercon would
>>>return in the above 2 scenarios.
>>>
>>>In the xfrm case: final skb->secmark would be 0
>>
>>resulting in getpeercon
>>
>>>to return EPROTONOOPT
>>
>>In the "XFRM present" case above if the access is allowed (avc_ok is
>>true) then the final skb->secmark value is going to be set to
>>the value
>>of ext_sid which is the xfrm_sid. Any calls made to
>>getpeercon() would
>>return success with the context matching xfrm_sid.
>
>
> You are right, but I was actually referring to the "Nothing"
> case above.
>
>
>>I have a hunch we are still on different pages here ...
>>
>>
>>>In the NetLabel case: final skb->secmark would be network_t
>>
>>resulting in
>>
>>>getpeercon to return network_t
>>
>>Yep, and I understand you would like to see it as
>>unlabeled_t. I think
>>we both have valid arguments for either case and we are just
>>waiting to
>>hear from others.
>>
>>--
>>paul moore
>>linux security @ hp
>>
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-10-04 19:52 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-04 19:37 [PATCH v4 1/2] NetLabel: secid reconciliation support Venkat Yekkirala
2006-10-04 19:37 ` Venkat Yekkirala
2006-10-04 19:52 ` Paul Moore [this message]
2006-10-04 19:52 ` Paul Moore
2006-10-04 20:09 ` Stephen Smalley
2006-10-04 20:21 ` Paul Moore
2006-10-04 20:39 ` Stephen Smalley
2006-10-04 20:53 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2006-10-04 19:53 Venkat Yekkirala
2006-10-04 19:53 ` Venkat Yekkirala
2006-10-04 20:08 ` Paul Moore
2006-10-04 20:08 ` Paul Moore
2006-10-04 20:27 ` Stephen Smalley
2006-10-04 20:52 ` Paul Moore
2006-10-04 21:12 ` Steve Grubb
2006-10-04 22:03 ` Joe Nall
2006-10-04 22:43 ` Paul Moore
2006-10-04 22:18 ` Linda Knippers
2006-10-04 20:12 ` Stephen Smalley
2006-10-04 19:02 Venkat Yekkirala
2006-10-04 19:02 ` Venkat Yekkirala
2006-10-04 19:27 ` Paul Moore
2006-10-04 19:27 ` Paul Moore
2006-10-04 19:45 ` Stephen Smalley
2006-10-04 19:45 ` Stephen Smalley
2006-10-04 17:09 Venkat Yekkirala
2006-10-04 17:09 ` Venkat Yekkirala
2006-10-04 16:59 Venkat Yekkirala
2006-10-04 16:59 ` Venkat Yekkirala
2006-10-04 18:45 ` Paul Moore
2006-10-04 18:45 ` Paul Moore
2006-10-04 15:46 [PATCH 0/2] [PATCH 0/2] Updated NetLabel/secid-reconciliation bits and a bugfix paul.moore
2006-10-04 15:46 ` [PATCH v4 1/2] NetLabel: secid reconciliation support paul.moore
2006-10-04 15:46 ` paul.moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45241108.5040303@hp.com \
--to=paul.moore@hp.com \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.